[unisog] Preventing Dsniff/Arpspoofing

H. Morrow Long morrow.long at yale.edu
Fri Jun 14 00:04:13 GMT 2002


Mark Brochu wrote:
> Hi all.  We ( I ) are considering adopting ssl in our products to combat
> switching on sniffed networks.  However, I'm meeting a lot of resistance to

  "sniffing on switched networks" is what you probably meant to say WRT dsniff
  and arpspoofing.

> the idea.  I'm wondering what luck other Universities have had in this
> undertaking.  Many of our products (including Banner) do not have any ssl
> support to my knowledge.  

We strive to buy web based 3rd party apps whenever and whereever possible
these days (rather than proprietary or custom interface two tiered client
server apps).  With almost all of these we can run the application inside
a secure (e.g. HTTP over SSL) web server rather than using just a standard
HTTP web server.  We avoid legacy terminal to host based applications.

In a few cases where the product WAS a custom all-in-one proprietary web
server we were able to 'front-end' it with 'stunnel' (an SSLized HTTPS
'wrapper' which listens at a different port and then forwards the traffic
as HTTP to the ordinary web service running at another port via the loop
back interface -- 127.0.0.1.).  Typically you then want to block access
from outside the server machine to the non SSLized web service port.

H. Morrow Long
Director
Information Security Office
Yale University, ITS



More information about the unisog mailing list